Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,124
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,434
Pub
12
RubyGems
988
Rust
1,172
Swift
50
Unreviewed advisories
All unreviewed
5,000+

397 advisories

Loading
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')... Critical Unreviewed
CVE-2026-3010 was published Feb 28, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover Critical
CVE-2026-27822 was published for rustfs (Rust) Feb 25, 2026
naoyashiga Credited to naoyashiga
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files... Critical Unreviewed
CVE-2025-65717 was published Feb 16, 2026
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')... Critical Unreviewed
CVE-2025-8668 was published Feb 11, 2026
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS)... Critical Unreviewed
CVE-2025-68723 was published Feb 5, 2026
DotNetNuke.Core Vulnerable to Stored XSS via Module Title Critical
CVE-2026-24838 was published for DotNetNuke.Core (NuGet) Jan 28, 2026
bdukes Credited to bdukes
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE Critical
GHSA-cr3w-cw5w-h3fj was published for @saltcorn/server (npm) Jan 26, 2026
Mathis-Z Credited to Mathis-Z
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft... Critical Unreviewed
CVE-2026-21264 was published Jan 23, 2026
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing... Critical Unreviewed
CVE-2026-1181 was published Jan 19, 2026
Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling... Critical Unreviewed
CVE-2026-21624 was published Jan 16, 2026
Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the... Critical Unreviewed
CVE-2026-21623 was published Jan 16, 2026
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing... Critical Unreviewed
CVE-2026-1009 was published Jan 16, 2026
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen Credited to AlbertSPedersen
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0... Critical Unreviewed
CVE-2025-67289 was published Dec 22, 2025
An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock... Critical Unreviewed
CVE-2025-67787 was published Dec 17, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site... Critical Unreviewed
CVE-2025-64539 was published Dec 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site... Critical Unreviewed
CVE-2025-64538 was published Dec 10, 2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site... Critical Unreviewed
CVE-2025-64537 was published Dec 10, 2025
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote... Critical Unreviewed
CVE-2025-10573 was published Dec 9, 2025
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar... Critical Unreviewed
CVE-2025-65267 was published Dec 3, 2025
Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could... Critical Unreviewed
CVE-2025-64130 was published Nov 26, 2025
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18... Critical Unreviewed
CVE-2025-60739 was published Nov 25, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database